feat: Add dnsdist as backend
All checks were successful
Build Docker / Build Docker (push) Successful in 24s
All checks were successful
Build Docker / Build Docker (push) Successful in 24s
This commit is contained in:
48
dnsdist.service
Normal file
48
dnsdist.service
Normal file
@@ -0,0 +1,48 @@
|
||||
[Unit]
|
||||
Description=DNS Loadbalancer
|
||||
Documentation=man:dnsdist(1)
|
||||
Documentation=https://dnsdist.org
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/usr/bin/dnsdist --check-config
|
||||
# Note: when editing the ExecStart command, keep --supervised and --disable-syslog
|
||||
ExecStart=/usr/bin/dnsdist --supervised --disable-syslog
|
||||
User=root
|
||||
Group=root
|
||||
Type=notify
|
||||
Restart=on-failure
|
||||
RestartSec=2
|
||||
TimeoutStopSec=5
|
||||
StartLimitInterval=0
|
||||
|
||||
# Tuning
|
||||
LimitNOFILE=16384
|
||||
TasksMax=8192
|
||||
|
||||
# Sandboxing
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
LockPersonality=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
# Setting PrivateUsers=true prevents us from opening our sockets
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user